form_post sends the token response as a form post instead of a fragment encoded redirect (optional)

state

identityserver will echo back the state value on the token response,
this is for round tripping state between client and provider, correlating request and response and CSRF/replay protection. (recommended)

nonce

identityserver will echo back the nonce value in the identity token, this is for replay protection)

Required for identity tokens via implicit grant.

prompt

none no UI will be shown during the request. If this is not possible (e.g. because the user has to sign in or consent) an error is returned

login the login UI will be shown, even if the user is already signed-in and has a valid session

code_challenge

sends the code challenge for PKCE

code_challenge_method

plain indicates that the challenge is using plain text (not recommended)
S256 indicates the the challenge is hashed with SHA256

login_hint

can be used to pre-fill the username field on the login page

ui_locales

gives a hint about the desired display language of the login UI

max_age

if the user’s logon session exceeds the max age (in seconds), the login UI will be shown